Brazil to try shielding itself from NSA with national secure e-mail

"Without respect for.. sovereignty, there is no basis for proper relations."

Brazil is continuing to spearhead a very public anti-NSA (National Security Agency) movement, with President Dilma Rousseff revealing more details on Twitter about the launch of a national secure e-mail.

"This measure is [the first part of enlarging the] privacy and inviolability of official messages," wrote Rousseff (according to Google Translate). "We must secure messaging to prevent possible espionage."

Rousseff went on to say that Serpro, the Brazilian federal data processing service, would deploy the new system, designed to protect all official government correspondence.

Since early September, when Rio-based Guardian journalist Glenn Greenwald revealed that the NSA had been spying on Brazilian government emails, Rousseff has not hesitated in making her feelings clear about the diplomatic betrayal.

With the reveal, Greenwald showed the world that far from US intelligence being "focused, above all, on finding the information that's necessary to protect our people and, in many cases, protect our allies," as President Obama put it during an August press conference, the NSA program stretches to commercial espionage, apparently for US financial gain.

According to Greenwald, Snowden shared documentation with the Guardian that proved the NSA spied not only on Rousseff's private correspondence, her Internet history, and e-mails between her aides, but also on ordinary Brazilian citizens and the country's commercial interests, including Brazilian energy company Petrobras' dealings. The latter has since announced it will invest $9.5 billion over the next five years in protecting its privacy. The leaks also showed that Mexican president Enrique Peña Nieto's correspondence was watched and that Canada's spy agency had monitored activity surrounding Brazil's Mine and Energy Ministry.

Immediately after the revelations, the idea of a national e-mail system was floated by the Brazilian government. It had already been working on a national equivalent to services such as Gmail, but in the aftermath of the Snowden leaks, the country announced it would extend the encrypted service. For more on the relative pros and cons of a national Internet service—a proposal that, when floated by other governments, has generally been met with distrust—read Wired.co.uk's September report here.

Obama's August words, "I want to make clear, once again, that America is not interested in spying on ordinary people," along with the snarky kick-to-the-global-gut, "we show a restraint that many governments around the world don't even think to do" were understandably tough to swallow after these revelations. And Rousseff has fought back with more ferocity than perhaps any other nation, taking action rather than floating platitudes.

Speaking to the United Nations at the end of September, weeks after the revelations, she said: "Without the right of privacy, there is no real freedom of speech or freedom of opinion, and so there is no actual democracy. Without respect for [a nation's] sovereignty, there is no basis for proper relations among nations. Those who want a strategic partnership cannot possibly allow recurring and illegal action to go on as if they were an ordinary practice."

The future of Internet governance

Meanwhile, on October 7, a conglomerate of representatives from bodies seeking to monitor the development and growth of the Internet, from the non-profit Internet Corporation for Assigned Names and Numbers to the World Wide Web Consortium, released a statement on the "Future of Internet Cooperation," announcing its concerns over "the undermining of the trust and confidence of internet users globally due to recent revelations of pervasive monitoring and surveillance." It called for the "globalization of ICANN and IANA functions, towards an environment in which all stakeholders, including all governments, participate on an equal footing."

Both ICANN and IANA (Internet Assigned Numbers Authority) are US-based organizations, with the latter founded by the US government and responsible for overseeing global IP address allocation and other administrative duties that keep the web running smoothly. The call by the ten organizations makes it clear there is a drive to break down US dominance of Internet controls, many of which are overseen purely by the US Commerce Department. One day after the statement was released, Fadi Chehadé, CEO of ICANN, met with Rousseff and called on her to "elevate her leadership to a new level, to ensure that we can all get together around a new model of governance in which all are equal."

Rousseff stepped up to the challenge and shortly after announced Brazil would host "an international summit of government, industry, civil society, and academia" on the topic of internet governance in April 2014.

"The trust in the global Internet has been punctured, and now it's time to restore this trust through leadership and institutions that can make that happen," commented Chehadé, explaining Rousseff's suitability for the leadership role in this domain by referring to her UN address: "She expressed the world's interest to actually find out how we are going to all live together in this new digital age."

Senators heading the Comissão Parlamentar de Inquérito, organized in the aftermath of the NSA revelations, last week called on Greenwald to divulge more details on the surveillance program, suggesting it might seize the papers if it could not arrange for an interview with Edward Snowden. Greenwald was understandably reluctant, and it looks more likely a teleconferencing session might be held.

Meanwhile Brazil Communications Minister Paulo Bernardo has announced he's looking into making it a legal requirement for all data exchanges in Brazil to be made using locally produced equipment.

US-Brazil trade and energy issues were debated by the nations' respective leaders as recently as April, several months before the extent of Prism was made public. Then, President Obama said "we think that we can cooperate closely on a whole range of energy projects together," after praising its South American partner for its "extraordinary progress" in becoming "not only a leading voice in the region, but also a leading voice in the world." Obama might be rueing the day he acknowledged the nation's strength and global influence.

Our Germans cryptanalysts are better than their Germans cryptanalysts.

I'm willing to bet that best brains work at the NSA. All Brazil will accomplish with this project is a) waste money on this system and b) give its users a false sense of security. NSA will get into it anyway.

This is a pretty ballsy move. Hope it works out, maybe it will set a precedent for more countries to move away from US IP. Seems like economic consequences are the only thing that will cause congress to change anything.

Meanwhile Brazil's communications minister Paulo Bernardo has announced he's looking into making it a legal requirement for all data exchanges in Brazil to be made using locally produced equipment.

This just a political move to create a government controlled intranet .

That was my thought as well. Sounds like an opportunity for the government in Brazil to knock out two birds with one stone: keep out international spying organizations and keep a closer eye on domestic dissenters.

This is a pretty ballsy move. Hope it works out, maybe it will set a precedent for more countries to move away from US IP. Seems like economic consequences are the only thing that will cause congress to change anything.

Maybe it will even set an international standard for email encryption, so the rest of us can join in. They must publish their standard, or else email from Brazil will be unreadable elsewhere - unless the government de-crypts all email crossing the border at the Great Wall of Brazil, but if they could do that then they could de-crypt anything which would mean the system's inherently broken.

Our Germans cryptanalysts are better than their Germans cryptanalysts.

I'm willing to bet that best brains work at the NSA. All Brazil will accomplish with this project is a) waste money on this system and b) give its users a false sense of security. NSA will get into it anyway.

I don't think total and impenetrable security is what Brazil is really going for here.

There is no such thing as absolute security. You can only make information time intensive or expensive for an adversary to get to. Any encryption/obfuscation techniques that we have available today (email encryption, TrueCrypt, AES, etc) can all be defeated. It is not an easy matter, and barring guessing easy passwords, the actual decryption would take potentially many lifetimes, but that's not the point. By not sending unencrypted SMTP packets, Brazil will at least make it harder for the NSA to see what they're saying.

Possibly a bigger and more important point is the political message burried within this simple announcement. Brazil is a significant global player standing up to the US and saying "We don't approve of your mass surveillance". The world is not as small as it once was. Business and communication are done globally. In this closed system that our planet is, there's no way you can alienate everyone and still have an easy go of things such as trade and other international diplomacy. Brazil standing up and saying no is a big deal. Brazil is a large and growing world player and may convince others to follow suit.

Practically speaking, you're correct: for an entity with the resources of the NSA, cracking most email encryption (unless done properly) will be trivial. Even then, if the NSA wanted to throw everything they had at an encryption scheme, they still probably would have a pretty good chance. The important thing here is the message the world is sending to the NSA.

While it's a lovely sentiment, the U.S. is not the only government with so-called pervasive surveillance. The U.S. government's surveillance has, however, been made public information.

This has been a large step toward a more transparent government for the U.S., if not a large tumble. Ultimately our country will be better for it, but this dramatic "The U.S.A. is the root of all Internet evil, we have to protect ourselves" sentiment is misguided and misplaced at best, and realistically, gross hypocrisy.

Ultimately I'd assert that building an insulated national e-mail service and requiring exchanges to use locally produced equipment would be a step backwards toward global, transparent government. It'd be supporting state secrets and as other comments have already noted it would be a huge temptation.

Brazil has a wonderfully diverse congress with several political parties represented. I actually admire the country for it. It's worth reading the Wikipedia article on. However, when power shifts are they certain that having networking equipment locally produced wouldn't be something that was exploited? The U.S. has accused China of bugging their networking equipment, now Brazil is accusing the U.S. of the same thing. Is Brazil inherently less corrupt than the U.S.?

It's easy to condemn others' actions to disguise one's own failings. I wonder if there's political scandal in the Brazilian government at the moment?

Best cost/value scenario: this is only a declaration of philosophical position. I can see a country dumping a bunch of resources into building something that won't actually do anything. Much like the NSA surveillance program itself.

Hey, have any of the Snowden docs mentioned how effective the NSA is at penetrating the Great Firewall...?

Slightly off-topic... but am I the only one that thinks the war for the internet has already been fought and lost -- and that gov'ts and huge multinationals are firmly in control?

The dream of a free and open internet is dead... no?

I've posted this before, but damn if it doesn't continue being relevant every single day.

"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master."

- Commissioner Pravin Lal, "U.N. Declaration of Rights"

To think that was written more than 13 years ago for a computer game. Sid Meier must have been psychic.

This is a pretty ballsy move. Hope it works out, maybe it will set a precedent for more countries to move away from US IP. Seems like economic consequences are the only thing that will cause congress to change anything.

Thanks to the NSA, the US can kiss Internet control goodbye. The UN may suck, but it's too disparate to be spying on me just for the hell of it.

Why does the NSA spy on foreign businesses?The only reason I can fathom is to supply that information to US competitors, such as energy companies. Big US Oil uses the NSA for industrial espionage. Lovely.

Reminds me of the CIA and United Fruit company, and all their disgraceful shenanigans in the 50's and 60's.

This is a pretty ballsy move. Hope it works out, maybe it will set a precedent for more countries to move away from US IP. Seems like economic consequences are the only thing that will cause congress to change anything.

Thanks to the NSA, the US can kiss Internet control goodbye. The UN may suck, but it's too disparate to be spying on me just for the hell of it.

Germany has PRISM and what do you know about it? Nothing. IT companies are not even allowed by law to explain or report government requests.

Every other company has its own NSA and some are far less controlled. What happen with the NSA will just make the US Internet even more free and with more privacy regarding data. Anyone that things other countries did not do the same or are not doing it is just naive. At least it blew up in the US and there are significant changes being make. From the rest of the countries you know nothing, zero, because they are not even allowed to talk to the press or inform anything.

It would not surprise me that after this NSA issue, we start to hear about similar stories from other non us countries.

Let me share something that happened to me last Thursday (no, REALLY): while acquiring a digital certificate from Certisign, under ICP-Brasil (master authority in here), the girl created my public/private key pair in her computer and tried to handle my certificate to me. All of this without asking me if I wanted her to to this.

I said "ok, I won't touch this, the law, yes, LAW, mandates that I create my own key pair", from there on I had to argue with 3 people about this law... that was so absurd I still get angry to this day!

Now, if this e-mail thingy made at SERPRO is going to be as "secure" as the certification authorities are under ICP-Brasil I can only wish our dear president good luck....

Why does the NSA spy on foreign businesses?The only reason I can fathom is to supply that information to US competitors, such as energy companies. Big US Oil uses the NSA for industrial espionage. Lovely.

Reminds me of the CIA and United Fruit company, and all their disgraceful shenanigans in the 50's and 60's.

That is a ridiculous comment. A private company like Google or others would never even try to get competitive advantage like that...

Less widely than that, this appears to be aimed at the fact that the US government reads the Brazilian government's email.

(There's also the more general problem that "Don't get your email service from your government." is probably close to rule #1 of email privacy. It's entirely logically cogent for Brazil's government, as a state, to want employee email to stay within the organization; but for them to attempt to protect J. Random Brazilian? At best that would work against everyone except themselves.)

My first reaction to hearing National Secure Email is, it sounds like it could be making it easier for the governmen to have access to their citizens email (if not immediately, after a less idealistic group is elected). Hopefully it will shame my skepticism.

Less widely than that, this appears to be aimed at the fact that the US government reads the Brazilian government's email.

This is all pretty recent, but the news here in Brazil are that it will be mandatory only for Federal Government, at first. They said that they're still evaluating how to make this available to State and Local govt., and, maybe, the general public. The operating word being “available”.

an entity with the resources of the NSA, cracking most email encryption (unless done properly) will be trivial. Even then, if the NSA wanted to throw everything they had at an encryption scheme, they still probably would have a pretty good chance. The important thing here is the message the world is sending to the NSA.

Bullshit. If you give each recipient a private key and each sender encrypts with their public key, the NSA does not have the resources to decrypt it. There are no passwords involved and brute forcing *one single email* would cost more in electricity alone than a thousand years of the NSA's budget.

They do not have the resources to break any of the industry standard email encryption techniques. The problem is nobody currently uses encryption.

Seeing as how I can read this "article" in its entirety at Wired UK - no point bothering to be at ARS and wasting time on filler content as they have nothing better to do here - so off to Wired UK to read content there.

Seeing as how I can read this "article" in its entirety at Wired UK - no point bothering to be at ARS and wasting time on filler content as they have nothing better to do here - so off to Wired UK to read content there.

From what I recall this email system is for brazilian government workers only (that rely a lot on gmail and other foreigner email implementations). It kinda makes sense because I've seen so many government agencies using shitty email systems, or just using Gmail.

I always assumed the US was spying on everyone it could, same as all other developed nations. I know everyone likes to deny and act outraged when someone is caught, but didn't they all really know it was going on?